feat: helm v2-alpha: add nodeSelector, toleration and affinity to the chart

Author: robinlioret

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/manager/manager.yaml

@@ -21,6 +21,15 @@ spec:
                 app.kubernetes.io/name: project
                 control-plane: controller-manager
         spec:
+            {{- with .Values.manager.tolerations }}
+            tolerations: {{ toYaml . | nindent 16 }}
+            {{- end }}
+            {{- with .Values.manager.affinity }}
+            affinity: {{ toYaml . | nindent 16 }}
+            {{- end }}
+            {{- with .Values.manager.nodeSelector }}
+            nodeSelector: {{ toYaml . | nindent 16 }}
+            {{- end }}
             containers:
                 - args:
                     {{- if .Values.metrics.enable }}

docs/book/src/cronjob-tutorial/testdata/project/dist/chart/values.yaml

@@ -40,6 +40,15 @@ manager:
         cpu: 10m
         memory: 64Mi
 
+  # Manager pod's affinity
+  affinity: {}
+
+  # Manager pod's node selector
+  nodeSelector: {}
+
+  # Manager pod's tolerations
+  tolerations: []
+
 # Essential RBAC permissions (required for controller operation)
 # These include ServiceAccount, controller permissions, leader election, and metrics access
 # Note: Essential RBAC is always enabled as it's required for the controller to function

docs/book/src/getting-started/testdata/project/dist/chart/templates/manager/manager.yaml

@@ -21,6 +21,15 @@ spec:
                 app.kubernetes.io/name: project
                 control-plane: controller-manager
         spec:
+            {{- with .Values.manager.tolerations }}
+            tolerations: {{ toYaml . | nindent 16 }}
+            {{- end }}
+            {{- with .Values.manager.affinity }}
+            affinity: {{ toYaml . | nindent 16 }}
+            {{- end }}
+            {{- with .Values.manager.nodeSelector }}
+            nodeSelector: {{ toYaml . | nindent 16 }}
+            {{- end }}
             containers:
                 - args:
                     {{- if .Values.metrics.enable }}

docs/book/src/getting-started/testdata/project/dist/chart/values.yaml

@@ -40,6 +40,15 @@ manager:
         cpu: 10m
         memory: 64Mi
 
+  # Manager pod's affinity
+  affinity: {}
+
+  # Manager pod's node selector
+  nodeSelector: {}
+
+  # Manager pod's tolerations
+  tolerations: []
+
 # Essential RBAC permissions (required for controller operation)
 # These include ServiceAccount, controller permissions, leader election, and metrics access
 # Note: Essential RBAC is always enabled as it's required for the controller to function

docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/manager/manager.yaml

@@ -21,6 +21,15 @@ spec:
                 app.kubernetes.io/name: project
                 control-plane: controller-manager
         spec:
+            {{- with .Values.manager.tolerations }}
+            tolerations: {{ toYaml . | nindent 16 }}
+            {{- end }}
+            {{- with .Values.manager.affinity }}
+            affinity: {{ toYaml . | nindent 16 }}
+            {{- end }}
+            {{- with .Values.manager.nodeSelector }}
+            nodeSelector: {{ toYaml . | nindent 16 }}
+            {{- end }}
             containers:
                 - args:
                     {{- if .Values.metrics.enable }}

docs/book/src/multiversion-tutorial/testdata/project/dist/chart/values.yaml

@@ -40,6 +40,15 @@ manager:
         cpu: 10m
         memory: 64Mi
 
+  # Manager pod's affinity
+  affinity: {}
+
+  # Manager pod's node selector
+  nodeSelector: {}
+
+  # Manager pod's tolerations
+  tolerations: []
+
 # Essential RBAC permissions (required for controller operation)
 # These include ServiceAccount, controller permissions, leader election, and metrics access
 # Note: Essential RBAC is always enabled as it's required for the controller to function

docs/book/src/plugins/available/helm-v2-alpha.md

@@ -188,6 +188,35 @@ controllerManager:
       cpu: 10m
       memory: 64Mi
 
+  # Manager pod's affinity
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+            - key: kubernetes.io/arch
+              operator: In
+              values:
+                - amd64
+                - arm64
+                - ppc64le
+                - s390x
+            - key: kubernetes.io/os
+              operator: In
+              values:
+                - linux
+
+  # Manager pod's node selector
+  nodeSelector:
+    kubernetes.io/os: linux
+
+  # Manager pod's tolerations
+  tolerations:
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoExecute"
+      tolerationSeconds: 6000
+
 # Essential RBAC permissions (required for controller operation)
 # These include ServiceAccount, controller permissions, leader election, and metrics access
 # Note: Essential RBAC is always enabled as it's required for the controller to function

pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/chart_converter.go

@@ -106,6 +106,10 @@ func (c *ChartConverter) ExtractDeploymentConfig() map[string]any {
 
 	extractPodSecurityContext(specMap, config)
 	extractImagePullSecrets(specMap, config)
+	extractPodNodeSelector(specMap, config)
+	extractPodTolerations(specMap, config)
+	extractPodAffinity(specMap, config)
+
 	container := firstManagerContainer(specMap)
 	if container == nil {
 		return config
@@ -163,6 +167,48 @@ func extractPodSecurityContext(specMap map[string]any, config map[string]any) {
 	config["podSecurityContext"] = podSecurityContext
 }
 
+func extractPodNodeSelector(specMap map[string]any, config map[string]any) {
+	raw, found, err := unstructured.NestedFieldNoCopy(specMap, "nodeSelector")
+	if !found || err != nil {
+		return
+	}
+
+	result, ok := raw.(map[string]any)
+	if !ok || len(result) == 0 {
+		return
+	}
+
+	config["podNodeSelector"] = result
+}
+
+func extractPodTolerations(specMap map[string]any, config map[string]any) {
+	raw, found, err := unstructured.NestedFieldNoCopy(specMap, "tolerations")
+	if !found || err != nil {
+		return
+	}
+
+	result, ok := raw.([]any)
+	if !ok || len(result) == 0 {
+		return
+	}
+
+	config["podTolerations"] = result
+}
+
+func extractPodAffinity(specMap map[string]any, config map[string]any) {
+	raw, found, err := unstructured.NestedFieldNoCopy(specMap, "affinity")
+	if !found || err != nil {
+		return
+	}
+
+	result, ok := raw.(map[string]any)
+	if !ok || len(result) == 0 {
+		return
+	}
+
+	config["podAffinity"] = result
+}
+
 func firstManagerContainer(specMap map[string]any) map[string]any {
 	containers, found, err := unstructured.NestedFieldNoCopy(specMap, "containers")
 	if !found || err != nil {

pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/helm_templater.go

@@ -191,6 +191,24 @@ func (t *HelmTemplater) templateDeploymentFields(yamlContent string) string {
 	yamlContent = t.templateVolumeMounts(yamlContent)
 	yamlContent = t.templateVolumes(yamlContent)
 	yamlContent = t.templateControllerManagerArgs(yamlContent)
+	yamlContent = t.templateBasicWithStatement(
+		yamlContent,
+		"nodeSelector",
+		"spec.template.spec",
+		".Values.manager.nodeSelector",
+	)
+	yamlContent = t.templateBasicWithStatement(
+		yamlContent,
+		"affinity",
+		"spec.template.spec",
+		".Values.manager.affinity",
+	)
+	yamlContent = t.templateBasicWithStatement(
+		yamlContent,
+		"tolerations",
+		"spec.template.spec",
+		".Values.manager.tolerations",
+	)
 
 	return yamlContent
 }
@@ -669,6 +687,88 @@ func (t *HelmTemplater) templateImageReference(yamlContent string) string {
 	return yamlContent
 }
 
+func (t *HelmTemplater) templateBasicWithStatement(
+	yamlContent string,
+	key string,
+	parentKey string,
+	valuePath string,
+) string {
+	lines := strings.Split(yamlContent, "\n")
+	yamlKey := fmt.Sprintf("%s:", key)
+
+	var start, end int
+	var indentLen int
+	if !strings.Contains(yamlContent, yamlKey) {
+		// Find parent block start if the key is missing
+		pKeyParts := strings.Split(parentKey, ".")
+		pKeyIdx := 0
+		pKeyInit := false
+		currIndent := 0
+		for i := range len(lines) {
+			_, lineIndent := leadingWhitespace(lines[i])
+			if pKeyInit && lineIndent <= currIndent {
+				return yamlContent
+			}
+			if !strings.HasPrefix(strings.TrimSpace(lines[i]), pKeyParts[pKeyIdx]) {
+				continue
+			}
+
+			// Parent key part found
+			pKeyIdx++
+			pKeyInit = true
+			if pKeyIdx >= len(pKeyParts) {
+				start = i + 1
+				end = start
+				break
+			}
+		}
+		_, indentLen = leadingWhitespace(lines[start])
+	} else {
+		// Find the existing block
+		for i := range len(lines) {
+			if !strings.HasPrefix(strings.TrimSpace(lines[i]), key) {
+				continue
+			}
+			start = i
+			end = i + 1
+			trimmed := strings.TrimSpace(lines[i])
+			if len(trimmed) == len(yamlKey) {
+				_, indentLenSearch := leadingWhitespace(lines[i])
+				for j := end; j < len(lines); j++ {
+					_, indentLenLine := leadingWhitespace(lines[j])
+					if indentLenLine <= indentLenSearch {
+						end = j
+						break
+					}
+				}
+			}
+		}
+		_, indentLen = leadingWhitespace(lines[start])
+	}
+
+	indentStr := strings.Repeat(" ", indentLen)
+
+	var builder strings.Builder
+	builder.WriteString(indentStr)
+	builder.WriteString("{{- with ")
+	builder.WriteString(valuePath)
+	builder.WriteString(" }}\n")
+	builder.WriteString(indentStr)
+	builder.WriteString(yamlKey)
+	builder.WriteString(" {{ toYaml . | nindent ")
+	builder.WriteString(strconv.Itoa(indentLen + 4))
+	builder.WriteString(" }}\n")
+	builder.WriteString(indentStr)
+	builder.WriteString("{{- end }}\n")
+
+	newBlock := strings.TrimRight(builder.String(), "\n")
+
+	newLines := append([]string{}, lines[:start]...)
+	newLines = append(newLines, strings.Split(newBlock, "\n")...)
+	newLines = append(newLines, lines[end:]...)
+	return strings.Join(newLines, "\n")
+}
+
 // makeWebhookAnnotationsConditional makes only cert-manager annotations conditional, not the entire webhook
 func (t *HelmTemplater) makeWebhookAnnotationsConditional(yamlContent string) string {
 	// Find cert-manager.io/inject-ca-from annotation and make it conditional